CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 3 of 3

Thread: "External" addresses should be considered internal

  1. #1
    Join Date
    2015-10-12
    Posts
    2
    Rep Power
    0

    Default "External" addresses should be considered internal

    Ok I'm not quite getting this topology thing. Perhaps I didn't phrase my issue right, but I hope you get what I mean anyway.

    We have 2 sites, both with a standalone 4200 appliance with Gaia 77.30 installed. These sites are connected through a EVPN (MPLS) setup.
    Consider the following example:

    Click image for larger version. 

Name:	2GY3DZW.jpg 
Views:	44 
Size:	30.8 KB 
ID:	1210

    The interfaces on both appliances that lead to the 172.16.1.0/24 network, are set to 'Internal' in both topologies, because, in my opinion, they shouldn't be considered external. Now, when I have traffic traveling from one of the internal networks on site A to an internal network on site B (192.168.1.1 to 10.0.1.1) or vice versa, the appliance considers this traffic from an external source, thus being processed by my IPS and Application/URL filtering blades. I don't want that.

    I want my appliance on site A to realize that data coming from 10.0.1.1 is internal traffic, and the same goes for site B receiving traffic from 192.168.1.1.

    How do I configure this?

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    596
    Rep Power
    4

    Default Re: "External" addresses should be considered internal

    Did you try using Network Exceptions on IPS blade menu?

  3. #3
    Join Date
    2015-10-12
    Posts
    2
    Rep Power
    0

    Default Re: "External" addresses should be considered internal

    Quote Originally Posted by laf_c View Post
    Did you try using Network Exceptions on IPS blade menu?
    I did not, because it's not just the IPS blade that's involved when traffic is considered internal <> external. For example, I have SIP traffic between the 2 sites and it's being processed by the Application/URL filtering blade, which I don't want.

    I've failed to mention that the networks of site B are added to the interface group on the external interface on site A, and vice versa.

    Click image for larger version. 

Name:	EXilbyg.png 
Views:	17 
Size:	17.2 KB 
ID:	1216

    But I'm still seeing traffic coming from site A going to site B being processed by the Application/URL filtering blade.

    Click image for larger version. 

Name:	xEheu3e.png 
Views:	19 
Size:	70.9 KB 
ID:	1217

Similar Threads

  1. External to Internal NAT goes back out on External interface
    By Magoo in forum NAT (Network Address Translation)
    Replies: 5
    Last Post: 2012-08-22, 16:18
  2. changing internal addresses
    By cpbox in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2011-08-30, 02:31
  3. Strange NAT problem. Both the firewalls internal and external addresses used
    By pemuller in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2011-06-10, 15:58
  4. 2 outside addresses NAT'd to 1 internal
    By bkeaver in forum NAT (Network Address Translation)
    Replies: 5
    Last Post: 2007-09-20, 08:45
  5. 1 External interface with 2 IP Addresses
    By slash85 in forum Topology Issues
    Replies: 10
    Last Post: 2007-02-15, 07:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •